Как организовать авторизацию без xpack, конечно не такую крутую но всё же. Сделаем это через openldap. и nginx.
Соберем докер с nginx(1.13.10) и ldap плагином from alphine – вес 74 мега!!!
FROM alpine:3.7
##MAINTAINER
LABEL maintainer=”Human <007@itc-life.ru"
ENV COMPILE_DIR /build/
ENV NB_PROC 4
#$BUILD OPTS
ENV NGINX_VERSION 1.13.10
ENV VERSION_PCRE pcre-8.41
ENV VERSION_LIBRESSL libressl-2.6.4
ENV VERSION_NGINX nginx-$NGINX_VERSION
ENV SOURCE_LIBRESSL http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/
ENV SOURCE_PCRE https://ftp.pcre.org/pub/pcre/
ENV SOURCE_NGINX http://nginx.org/download/
ENV STATICLIBSSL $COMPILE_DIR/$VERSION_LIBRESSL
#CONFIGURE BUILD NGINX
ENV CONFIG \
--prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--user=nginx \
--group=nginx \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_stub_status_module \
--with-http_auth_request_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-threads \
--with-stream \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--with-http_slice_module \
--with-mail \
--with-mail_ssl_module \
--with-compat \
--with-file-aio \
--with-http_v2_module \
--with-openssl=$STATICLIBSSL \
--add-module=$COMPILE_DIR/ngx_http_substitutions_filter_module \
--add-module=$COMPILE_DIR/ngx_cache_purge \
--add-module=$COMPILE_DIR/lua-nginx-module \
--add-module=$COMPILE_DIR/nginx-auth-ldap \
--add-module=$COMPILE_DIR/nginx-module-vts
RUN addgroup -S www-data \
&& adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G www-data www-data \
&& apk add --no-cache --virtual .build-deps \
gcc \
libc-dev \
make \
pcre-dev \
zlib-dev \
git \
unzip \
wget \
linux-headers \
curl \
openldap-backend-all \
libldap \
openldap-dev \
gnupg \
libxslt-dev \
gd-dev \
geoip-dev \
&& mkdir -p $COMPILE_DIR \
&& git clone git://github.com/vozlt/nginx-module-vts.git $COMPILE_DIR/nginx-module-vts \
&& wget -P $COMPILE_DIR https://github.com/hnlq715/nginx-vts-exporter/releases/download/v0.8.3/nginx-vts-exporter-0.8.3.linux-amd64.tar.gz \
&& cd $COMPILE_DIR && tar xzf nginx-vts-exporter-0.8.3.linux-amd64.tar.gz \
&& mv $COMPILE_DIR/nginx-vts-exporter-0.8.3.linux-amd64/nginx-vts-exporter /bin/ \
&& wget -P $COMPILE_DIR $SOURCE_NGINX$VERSION_NGINX.tar.gz \
&& wget -P $COMPILE_DIR $SOURCE_PCRE$VERSION_PCRE.tar.gz \
&& wget -P $COMPILE_DIR $SOURCE_LIBRESSL$VERSION_LIBRESSL.tar.gz \
&& wget -P $COMPILE_DIR https://github.com/3078825/nginx-image/archive/master.zip \
&& wget -P $COMPILE_DIR https://luajit.org/download/LuaJIT-2.0.4.zip \
&& git clone https://github.com/FRiCKLE/ngx_cache_purge.git $COMPILE_DIR/ngx_cache_purge \
&& git clone https://github.com/openresty/lua-nginx-module.git $COMPILE_DIR/lua-nginx-module \
&& git clone https://github.com/yaoweibin/ngx_http_substitutions_filter_module.git $COMPILE_DIR/ngx_http_substitutions_filter_module \
&& git clone https://github.com/kvspb/nginx-auth-ldap.git $COMPILE_DIR/nginx-auth-ldap \
&& cd $COMPILE_DIR && tar xzf $VERSION_NGINX.tar.gz \
&& cd $COMPILE_DIR && tar xzf $VERSION_LIBRESSL.tar.gz \
&& cd $COMPILE_DIR && tar xzf $VERSION_PCRE.tar.gz \
&& cd $COMPILE_DIR && unzip master.zip \
&& cd $COMPILE_DIR && unzip LuaJIT-2.0.4.zip \
&& cd $STATICLIBSSL && ./configure LDFLAGS=-lrt --prefix=${STATICLIBSSL}/.openssl/ && make install-strip -j $NB_PROC \
&& cd $COMPILE_DIR/LuaJIT-2.0.4 && make && make install \
&& cd $COMPILE_DIR/$VERSION_NGINX && ./configure $CONFIG --with-debug \
&& make -j$(getconf _NPROCESSORS_ONLN) \
&& chmod 777 -R $COMPILE_DIR/$VERSION_NGINX && cd $COMPILE_DIR/$VERSION_NGINX && find $COMPILE_DIR -iname LuaJIT-2.0.4.zip \
&& cd $COMPILE_DIR/$VERSION_NGINX \
&& ./configure $CONFIG \
&& make -j$(getconf _NPROCESSORS_ONLN) \
&& make install \
&& ln -s ../../usr/lib/nginx/modules /etc/nginx/modules \
&& rm -rf $COMPILE_DIR \
\
# Bring in gettext so we can get `envsubst`, then throw
# the rest away. To do this, we need to install `gettext`
# then move `envsubst` out of the way so `gettext` can
# be deleted completely, then move `envsubst` back.
&& apk add --no-cache --virtual .gettext gettext \
&& mv /usr/bin/envsubst /tmp/ \
\
&& runDeps="$( \
scanelf --needed --nobanner --format '%n#p' /usr/sbin/nginx /usr/lib/nginx/modules/*.so /tmp/envsubst \
| tr ',' '\n' \
| sort -u \
| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
)" \
&& apk add --no-cache --virtual .nginx-rundeps $runDeps \
&& apk del .build-deps \
&& apk del .gettext \
&& mv /tmp/envsubst /usr/local/bin/ \
\
# Bring in tzdata so users could set the timezones through the environment
# variables
&& apk add --no-cache tzdata \
\
# forward request and error logs to docker log collector
&& touch /var/log/nginx/access.log && touch /var/log/nginx/error.log && ln -sf /dev/stdout /var/log/nginx/access.log
EXPOSE 80
STOPSIGNAL SIGTERM
CMD ["nginx", "-g", "daemon off;"]
Собираем.
Теперь подготавливаем конфиг для nginx
##add_open_ldap_server
ldap_server $open_ldap_server {
url "ldap://IP_ADDRESS_LDAP:389/DC=itc-life,DC=ru?uid?sub?(objectClass=top)";
binddn "CN=admin,DC=itc-life,DC=ru";
binddn_passwd ПАРОЛЬ_LDAP;
group_attribute "main";
group_attribute_is_dn on;
require valid_user;
max_down_retries 300;
}
upstream kibana {
server IP_KIBANA:5601;
}
server {
listen 80;
server_name
kibana.itc-life.ru
;
root /dev/null;
access_log off;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl http2;
server_name kibana.itc-life.ru;
set $open_ldap_server itc_life_ldap1;
include ssl.d/itc-life.ru/ssl.conf;
access_log off;
auth_ldap "Forbidden";
auth_ldap_servers $open_ldap_server;
location / {
proxy_pass http://kibana;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
Конфиг с ssl.conf – как получить wildcard от let’s encrypt – тут
ssl_stapling on;
ssl on;
ssl_certificate /etc/letsencrypt/live/itc-life.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/itc-life.ru/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/itc-life.ru/fullchain.pem;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_session_timeout 24h;
ssl_session_cache shared:SSL:2m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000;";
